Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virtumundo [Solved]

Started by mpurchases , Apr 02 2010 08:08 PM

  • This topic is locked This topic is locked

#1
mpurchases
Posted 02 April 2010 - 08:08 PM

mpurchases

    Member

  • Member
  • PipPip
  • 72 posts
I followed ALL the steps in the Malware and Spyware cleaning guide.

I was unable to download and/or run malware bytes - even with renaming it. So I cannot upload the MBAM log.

Here are the logs:
First log is GMER Rootscan log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-02 22:00:42
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awtdrpow.sys

---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\feyumaze.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [604] 0x00E20000
Library C:\WINDOWS\system32\feyumaze.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [772] 0x10000000
Library C:\WINDOWS\system32\feyumaze.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [820] 0x10000000
Library C:\WINDOWS\system32\feyumaze.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [832] 0x10000000
Library C:\WINDOWS\system32\feyumaze.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [1020] 0x00A90000
Library C:\WINDOWS\system32\feyumaze.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [1124] 0x06180000
Library C:\WINDOWS\system32\feyumaze.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1572] 0x02CF0000
Library C:\WINDOWS\system32\feyumaze.dll (*** hidden *** ) @ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe [1900] 0x10000000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\kofemube.dll 62464 bytes executable
File C:\WINDOWS\system32\fajohiti.dll 62464 bytes executable
File C:\WINDOWS\system32\feyumaze.dll 62464 bytes executable
File C:\WINDOWS\system32\yolutuzu 6456 bytes

---- EOF - GMER 1.0.15 ----


HERE IS THE OTL.Txt LOG:

OTL logfile created on: 4/2/2010 10:02:55 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 717.00 Mb Available Physical Memory | 71.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 19.42 Gb Free Space | 52.12% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOMAMA
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user



HERE IS THE EXTRAS.TXT LOG

OTL Extras logfile created on: 4/2/2010 10:02:55 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 717.00 Mb Available Physical Memory | 71.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 19.42 Gb Free Space | 52.12% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOMAMA
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Disabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" = C:\Program Files\Alwil Software\Avast5\AvastSvc.exe:*:Enabled:AvastSvc -- (ALWIL Software)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0134A1A1-C283-4A47-91A1-92F19F960372}" = Adobe Creative Suite 2
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 14
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{46548E80-0409-0000-7E8A-45000F855001}" = Adobe GoLive CS2
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{689E0AB3-50B2-4E5A-9DCE-6DA9F5BE1314}" = BlackBerry® Media Sync
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{7F4C8163-F259-49A0-A018-2857A90578BC}" = Adobe InDesign CS2
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{A5181519-9F3D-4372-ABC6-C333C2F3A816}_is1" = RunAlyzer
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AC96671C-2001-432C-9826-5266D84EF1DC}" = Logitech Webcam Software
"{ADBE46EE-54E0-4610-B436-D7E93D829100}" = Adobe Version Cue CS2
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}" = Adobe Illustrator CS2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{B98BE95C-E76F-4246-B8E6-BEB8EE791D06}" = Roxio Media Manager
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C49DAA9C-5BA8-459A-8244-E57B69DF0F04}" = Suite Specific
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{E5BA0430-919F-46DD-B656-0796F8A5ADFF}" = Microsoft Office Communicator 2007
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"avast5" = avast! Free Antivirus
"BlackBerry_{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"CleanUp!" = CleanUp!
"CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D110 MDC V.9x Modem
"Creative Live! Cam Center" = Creative Live! Cam Center
"Creative VF0230" = Creative Live! Cam Video IM Pro Driver (1.02.02.1018)
"ENTERPRISER" = Microsoft Office Enterprise 2007
"ERUNT_is1" = ERUNT 1.1j
"HijackThis" = HijackThis 2.0.2
"HP Photo & Imaging" = HP Image Zone 4.2
"ie8" = Windows Internet Explorer 8
"lvdrivers_12.0" = Logitech Webcam Software Driver Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PROHYBRIDR" = 2007 Microsoft Office system
"RealPlayer 12.0" = RealPlayer
"VLC media player" = VLC media player 1.0.3
"Windows Media Format Runtime" = Windows Media Format Runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"YRefresher_is1" = Yrefresher 1.00

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/1/2010 9:08:39 PM | Computer Name = YOMAMA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x028c13b2.

Error - 4/1/2010 9:14:11 PM | Computer Name = YOMAMA | Source = Ci | ID = 4124
Description = Content index on c:\system volume information\catalog.wci is corrupt.
Please shutdown and restart the Indexing Service (cisvc).

Error - 4/1/2010 9:14:11 PM | Computer Name = YOMAMA | Source = Ci | ID = 4126
Description = Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci.
Index will be automatically restored by refiltering all documents.

Error - 4/2/2010 9:45:24 AM | Computer Name = YOMAMA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/2/2010 9:51:54 AM | Computer Name = YOMAMA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x023d139c.

Error - 4/2/2010 11:14:36 AM | Computer Name = YOMAMA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x0249139c.

Error - 4/2/2010 12:00:01 PM | Computer Name = YOMAMA | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 12.0.4518.1014, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/2/2010 1:31:02 PM | Computer Name = YOMAMA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x024f139c.

Error - 4/2/2010 2:23:13 PM | Computer Name = YOMAMA | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/2/2010 8:45:13 PM | Computer Name = YOMAMA | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ OSession Events ]
Error - 11/20/2009 11:57:01 AM | Computer Name = YOMAMA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 1283
seconds with 420 seconds of active time. This session ended with a crash.

Error - 11/20/2009 12:02:38 PM | Computer Name = YOMAMA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 322
seconds with 120 seconds of active time. This session ended with a crash.

Error - 11/20/2009 12:03:12 PM | Computer Name = YOMAMA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 21
seconds with 0 seconds of active time. This session ended with a crash.

Error - 11/20/2009 12:03:36 PM | Computer Name = YOMAMA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 15
seconds with 0 seconds of active time. This session ended with a crash.

Error - 11/20/2009 12:19:37 PM | Computer Name = YOMAMA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 924
seconds with 0 seconds of active time. This session ended with a crash.

Error - 12/16/2009 10:56:21 PM | Computer Name = YOMAMA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 18951
seconds with 360 seconds of active time. This session ended with a crash.

Error - 12/20/2009 12:16:37 PM | Computer Name = YOMAMA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 82583
seconds with 15120 seconds of active time. This session ended with a crash.

Error - 12/20/2009 12:18:09 PM | Computer Name = YOMAMA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 35
seconds with 0 seconds of active time. This session ended with a crash.

Error - 1/12/2010 12:36:22 PM | Computer Name = YOMAMA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 19
seconds with 0 seconds of active time. This session ended with a crash.

Error - 1/12/2010 12:36:50 PM | Computer Name = YOMAMA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 16
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 4/2/2010 8:10:40 PM | Computer Name = YOMAMA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/2/2010 8:11:07 PM | Computer Name = YOMAMA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/2/2010 8:13:07 PM | Computer Name = YOMAMA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/2/2010 8:14:06 PM | Computer Name = YOMAMA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/2/2010 8:42:15 PM | Computer Name = YOMAMA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/2/2010 8:43:43 PM | Computer Name = YOMAMA | Source = NETLOGON | ID = 3095
Description = This computer is configured as a member of a workgroup, not as a member
of a domain. The Netlogon service does not need to run in this configuration.

Error - 4/2/2010 8:51:08 PM | Computer Name = YOMAMA | Source = NETLOGON | ID = 3095
Description = This computer is configured as a member of a workgroup, not as a member
of a domain. The Netlogon service does not need to run in this configuration.

Error - 4/2/2010 8:51:14 PM | Computer Name = YOMAMA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/2/2010 8:52:27 PM | Computer Name = YOMAMA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Aavmker4 aswSP aswTdi Fips intelppm

Error - 4/2/2010 10:00:41 PM | Computer Name = YOMAMA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >
  • 0

Advertisements

#2
inzanity
Posted 02 April 2010 - 09:40 PM

inzanity

    Member

  • Member
  • PipPip
  • 37 posts
Hello and :)

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise.
This may cause a delay, but I will do my best to keep it as short as possible.

Log research takes time, so please be patient and I'd be grateful if you would note the following:
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Do not install/uninstall anything on your computer unless advised.
  • Do not run any other scanning tools other than those instructed for you to use.
  • Follow the instructions on the order they are given.
  • Stay with this thread until advised when your computer is clean. Absence of symptoms does not necessarily mean a clean computer.
  • If you are being helped regarding this problem on another forum please advice us so that we can close this thread.
  • If you do not reply within 3 days after my last response, I will be asking you whether you still need assistance and if you still don't reply within 24 hours then the topic will be closed.
  • And lastly, if you have any questions, please ask before proceeding with any of the advised fixes.

_________________________________________________


Before we continue, please post the entire contents of OTL.txt log as it is cut off. Thanks.
  • 0

#3
mpurchases
Posted 03 April 2010 - 06:22 AM

mpurchases

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
OTL logfile created on: 4/2/2010 10:02:55 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 717.00 Mb Available Physical Memory | 71.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 19.42 Gb Free Space | 52.12% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOMAMA
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/02 22:01:45 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2008/08/21 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/04/02 22:01:45 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2010/01/02 20:59:18 | 000,092,160 | -HS- | M] () -- C:\WINDOWS\system32\runasate.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Disabled | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/03/09 06:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/04/30 17:01:10 | 000,154,136 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2005/04/04 18:58:28 | 000,163,840 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe -- (Adobe Version Cue CS2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/04/02 09:36:48 | 000,385,900 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13312 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {513caca6-90e9-4d82-9ee1-894812662eb6} - C:\WINDOWS\System32\kofemube.dll ()
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (RefresherBand Class) - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\Program Files\YRefresher\YRefresher.dll ()
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [pumamivuz] C:\WINDOWS\System32\runasate.DLL ()
O4 - HKLM..\Run: [V0230Mon.exe] C:\WINDOWS\V0230Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [visazeyilu] C:\WINDOWS\System32\fajohiti.dll ()
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe File not found
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2....re/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (feyumaze.dll) - File not found
O20 - AppInit_DLLs: (c:\windows\system32\runasate.dll) - C:\WINDOWS\system32\runasate.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: lihizabeg - {382b8d24-8132-47d7-843b-eb527306b84c} - C:\WINDOWS\system32\runasate.dll ()
O22 - SharedTaskScheduler: {382b8d24-8132-47d7-843b-eb527306b84c} - gahurihor - C:\WINDOWS\system32\runasate.dll ()
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O27 - HKLM IFEO\MpCmdRun.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\MSASCui.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\MsMpEng.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\msseces.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/09 17:50:13 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{483544cf-0cfb-11de-9ebe-0013ce871ce7}\Shell\AutoRun\command - "" = 8x.bat
O33 - MountPoints2\{483544cf-0cfb-11de-9ebe-0013ce871ce7}\Shell\explore\Command - "" = 8x.bat
O33 - MountPoints2\{483544cf-0cfb-11de-9ebe-0013ce871ce7}\Shell\open\Command - "" = 8x.bat
O33 - MountPoints2\{483544d1-0cfb-11de-9ebe-0013ce871ce7}\Shell - "" = AutoRun
O33 - MountPoints2\{483544d1-0cfb-11de-9ebe-0013ce871ce7}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{483544d1-0cfb-11de-9ebe-0013ce871ce7}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2010/04/02 20:43:53 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error starting restore point: The function was called in safe mode.
Error closing restore point: The sequence number is invalid.

========== Files/Folders - Created Within 14 Days ==========

[2010/04/02 22:01:35 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/04/02 20:59:33 | 005,918,768 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/04/02 20:58:35 | 000,000,000 | ---D | C] -- C:\Program Files\renamed
[2010/04/02 20:57:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/04/02 20:55:57 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/02 20:55:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/02 20:55:54 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/02 20:55:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/02 20:53:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/02 20:52:53 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/02 20:41:05 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/04/02 20:27:59 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/04/02 11:20:06 | 000,000,000 | ---D | C] -- C:\!KillBox
[2010/04/02 11:07:19 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/02 10:22:49 | 000,162,640 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/02 10:22:49 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/02 10:22:48 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/02 10:22:46 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/02 10:22:42 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/02 10:22:42 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/02 10:22:42 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/02 10:22:16 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/02 10:22:16 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/02 10:21:59 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/04/02 10:21:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/04/02 09:37:35 | 000,000,000 | ---D | C] -- C:\Program Files\Safer Networking
[2010/03/31 20:00:37 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/02/08 22:39:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2009/12/22 22:35:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/07/25 12:27:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/07/23 08:00:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/03/09 17:57:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/03/09 17:50:04 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2003/05/27 13:37:24 | 001,953,792 | ---- | C] (Hewlett-Packard Corp.) -- C:\Program Files\pcldll6l.dll
[2003/05/27 13:37:24 | 000,900,388 | ---- | C] (Macromedia, Inc.) -- C:\Program Files\hpflash1.exe
[2003/05/27 13:37:24 | 000,151,552 | ---- | C] (Hewlett-Packard Company) -- C:\Program Files\SDhp1000.DLL
[2003/05/27 13:37:24 | 000,147,456 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\Sr32.dll
[2003/05/27 13:37:24 | 000,147,456 | ---- | C] (Zenographics) -- C:\Program Files\ZUNINST.EXE
[2003/05/27 13:37:24 | 000,135,168 | ---- | C] (Hewlett-Packard Company) -- C:\Program Files\SUhp1000.DLL
[2003/05/27 13:37:24 | 000,122,880 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\SDDMUI.DLL
[2003/05/27 13:37:24 | 000,099,616 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\IMF16.drv
[2003/05/27 13:37:24 | 000,098,304 | ---- | C] (Zenographics) -- C:\Program Files\vsetup.dll
[2003/05/27 13:37:24 | 000,090,112 | ---- | C] (Zenographics) -- C:\Program Files\apptune.exe
[2003/05/27 13:37:24 | 000,086,016 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\ZSPOOL.DLL
[2003/05/27 13:37:24 | 000,077,824 | ---- | C] (Zenographics) -- C:\Program Files\zlmhp1.dll
[2003/05/27 13:37:24 | 000,073,728 | ---- | C] (Zenographics) -- C:\Program Files\ZSHP1000.dll
[2003/05/27 13:37:24 | 000,070,656 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\Sd32.dll
[2003/05/27 13:37:24 | 000,065,536 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\SDDM32.DLL
[2003/05/27 13:37:24 | 000,054,784 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\zPJL.dll
[2003/05/27 13:37:24 | 000,049,152 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\IMFPRINT.DLL
[2003/05/27 13:37:24 | 000,047,120 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\SD4.DLL
[2003/05/27 13:37:24 | 000,045,056 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\zpp.dll
[2003/05/27 13:37:24 | 000,036,864 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\zpppcl.dll
[2003/05/27 13:37:24 | 000,036,864 | ---- | C] (Zenographics) -- C:\Program Files\zstatus.exe
[2003/05/27 13:37:24 | 000,036,864 | ---- | C] (Zenographics) -- C:\Program Files\fwdl.exe
[2003/05/27 13:37:24 | 000,032,256 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\imfnt5.dll
[2003/05/27 13:37:24 | 000,029,184 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\ZSPOOL32.EXE
[2003/05/27 13:37:24 | 000,028,672 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\zlm.dll
[2003/05/27 13:37:24 | 000,028,672 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\SDNT5UI.dll
[2003/05/27 13:37:24 | 000,026,624 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\QDPRINT.DLL
[2003/05/27 13:37:24 | 000,023,552 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\ZGDI32.DLL
[2003/05/27 13:37:24 | 000,022,608 | ---- | C] (Microsoft Corporation) -- C:\Program Files\USBPRINT.SYS
[2003/05/27 13:37:24 | 000,019,456 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\ZTAG32.DLL
[2003/05/27 13:37:24 | 000,018,944 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\SDIMF32.DLL
[2003/05/27 13:37:24 | 000,016,384 | ---- | C] (Zenographics) -- C:\Program Files\ZJBIG.dll
[2003/05/27 13:37:24 | 000,012,288 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\IMF32.DLL
[2003/05/27 13:37:24 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Program Files\USBMON.DLL
[2003/05/27 13:37:24 | 000,009,216 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\Zlang.dll
[2003/05/27 13:37:24 | 000,008,704 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\ZPRINT32.EXE
[2003/05/27 13:37:24 | 000,005,632 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\SDNTUM4.DLL

========== Files - Modified Within 14 Days ==========

[2010/04/02 22:02:09 | 004,718,592 | -H-- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2010/04/02 22:01:45 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/04/02 21:00:05 | 000,000,599 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/02 20:59:33 | 005,918,768 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/04/02 20:54:49 | 000,000,582 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/02 20:54:49 | 000,000,239 | RHS- | M] () -- C:\boot.ini
[2010/04/02 20:54:49 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/02 20:52:54 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2010/04/02 20:52:54 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2010/04/02 20:50:53 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/02 20:50:43 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/02 20:43:34 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/02 20:42:16 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/04/02 20:41:19 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/04/02 10:22:50 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/04/02 10:22:43 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/02 09:36:48 | 000,385,900 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2010/04/02 20:55:59 | 000,000,599 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/02 20:52:54 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2010/04/02 20:52:54 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2010/04/02 10:22:50 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/01/19 19:56:42 | 000,186,584 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/01/02 20:59:18 | 000,092,160 | -HS- | C] () -- C:\WINDOWS\System32\runasate.dll
[2010/01/02 20:59:18 | 000,061,952 | -HS- | C] () -- C:\WINDOWS\System32\lohulatu.dll
[2010/01/02 20:59:18 | 000,039,424 | -HS- | C] () -- C:\WINDOWS\System32\nozahiti.dll
[2010/01/02 08:59:08 | 000,092,160 | -HS- | C] () -- C:\WINDOWS\System32\pihuwali.dll
[2010/01/02 08:59:07 | 000,062,464 | -HS- | C] () -- C:\WINDOWS\System32\saheloju.dll
[2010/01/02 08:59:07 | 000,061,952 | -HS- | C] () -- C:\WINDOWS\System32\jirohowu.dll
[2010/01/01 20:58:47 | 000,092,160 | -HS- | C] () -- C:\WINDOWS\System32\pabawifu.dll
[2010/01/01 20:58:47 | 000,039,424 | -HS- | C] () -- C:\WINDOWS\System32\pimomana.dll
[2009/12/22 22:51:59 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/12/21 21:48:30 | 000,082,289 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/11/03 22:57:21 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
[2009/07/24 18:05:16 | 000,000,392 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/05/08 11:13:04 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2009/04/30 17:00:12 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2009/03/09 18:42:51 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/05/27 13:37:24 | 001,619,183 | ---- | C] () -- C:\Program Files\guide.pdf
[2003/05/27 13:37:24 | 000,114,233 | ---- | C] () -- C:\Program Files\sihp1000.img
[2003/05/27 13:37:24 | 000,088,504 | ---- | C] () -- C:\Program Files\dour65w.ttf
[2003/05/27 13:37:24 | 000,088,408 | ---- | C] () -- C:\Program Files\dour45w.ttf
[2003/05/27 13:37:24 | 000,080,712 | ---- | C] () -- C:\Program Files\dour66w.ttf
[2003/05/27 13:37:24 | 000,080,676 | ---- | C] () -- C:\Program Files\dour46w.ttf
[2003/05/27 13:37:24 | 000,054,675 | ---- | C] () -- C:\Program Files\SDhp1000.hlp
[2003/05/27 13:37:24 | 000,032,768 | ---- | C] () -- C:\Program Files\spldr.exe
[2003/05/27 13:37:24 | 000,032,351 | ---- | C] () -- C:\Program Files\hp1KW9x.cat
[2003/05/27 13:37:24 | 000,030,336 | ---- | C] () -- C:\Program Files\readme.wri
[2003/05/27 13:37:24 | 000,020,489 | ---- | C] () -- C:\Program Files\hp1KW2K.cat
[2003/05/27 13:37:24 | 000,010,546 | ---- | C] () -- C:\Program Files\read1st.txt
[2003/05/27 13:37:24 | 000,008,911 | ---- | C] () -- C:\Program Files\zUsb.cat
[2003/05/27 13:37:24 | 000,007,315 | ---- | C] () -- C:\Program Files\ZShp1000.hlp
[2003/05/27 13:37:24 | 000,003,608 | ---- | C] () -- C:\Program Files\HPLJ1000.INF
[2003/05/27 13:37:24 | 000,002,991 | ---- | C] () -- C:\Program Files\SDhp1000.sdd
[2003/05/27 13:37:24 | 000,001,598 | ---- | C] () -- C:\Program Files\sd4.ini
[2003/05/27 13:37:24 | 000,001,145 | ---- | C] () -- C:\Program Files\SDhp1000.UNZ
[2003/05/27 13:37:24 | 000,000,949 | ---- | C] () -- C:\Program Files\zUsb.inf
[2003/05/27 13:37:24 | 000,000,271 | ---- | C] () -- C:\Program Files\apptune.ini
[2001/11/15 09:17:14 | 000,000,054 | ---- | C] () -- C:\Program Files\HPLJ1000.DOI
[1996/10/07 15:53:58 | 000,006,020 | ---- | C] () -- C:\Program Files\HPLicen.txt

========== LOP Check ==========

[2010/04/02 10:21:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/07/22 07:12:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2010/02/08 21:44:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2009/03/09 18:37:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[2009/11/02 17:54:59 | 000,000,456 | ---- | M] () -- C:\WINDOWS\Tasks\Driver Robot.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/08/21 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/08/21 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/08/21 08:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/08/21 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/08/21 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/08/21 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/08/21 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/08/21 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/08/21 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/03/09 09:33:04 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/03/09 09:33:04 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/03/09 09:33:04 | 000,913,408 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >
  • 0

#4
mpurchases
Posted 03 April 2010 - 01:29 PM

mpurchases

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
My antivirus program is blocking vundo trojan viruses - ongoing.

Also, I am now - after running the cleaning guide programs getting some dll error on start up

just fyi.
  • 0

#5
inzanity
Posted 03 April 2010 - 09:05 PM

inzanity

    Member

  • Member
  • PipPip
  • 37 posts
Hi,

Download Combofix from any of the links below. You must rename it before saving it. Save it as SubsFix.exe

* IMPORTANT !!! Save SubsFix.exe to your Desktop

Link 1
Link 2

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link - How to Disable your Security Programs
--------------------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  • 0

#6
mpurchases
Posted 04 April 2010 - 07:26 AM

mpurchases

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
COMBO FIX LOG

ComboFix 10-04-03.02 - yomamason 04/04/2010 9:12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.654 [GMT -4:00]
Running from: c:\documents and settings\yomamason\Desktop\SubsFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1417001333-1801674531-95566110-500
c:\windows\AppPatch\AcAdProc.dll
c:\windows\system32\feyumaze.dll
c:\windows\system32\nozahiti.dll
c:\windows\system32\pimomana.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-04 to 2010-04-04 )))))))))))))))))))))))))))))))
.

2010-04-03 00:58 . 2010-04-03 01:00 -------- d-----w- c:\program files\renamed
2010-04-03 00:57 . 2010-04-03 00:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-03 00:55 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-03 00:55 . 2010-04-03 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-03 00:55 . 2010-04-03 00:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 00:55 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-03 00:52 . 2010-04-03 00:52 -------- d-----w- c:\program files\ERUNT
2010-04-03 00:27 . 2010-04-03 00:27 -------- d-----w- C:\VundoFix Backups
2010-04-02 15:20 . 2010-04-02 15:20 -------- d-----w- C:\!KillBox
2010-04-02 15:07 . 2010-04-02 15:07 -------- d-----w- c:\program files\Trend Micro
2010-04-02 14:22 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-02 14:22 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-02 14:22 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-02 14:22 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-02 14:22 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-02 14:22 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-02 14:22 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-02 14:22 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-02 14:22 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-02 14:21 . 2010-04-02 14:21 -------- d-----w- c:\program files\Alwil Software
2010-04-02 14:21 . 2010-04-02 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-02 13:37 . 2010-04-02 13:37 -------- d-----w- c:\program files\Safer Networking
2010-04-01 00:00 . 2010-04-01 00:00 -------- d--h--w- c:\windows\PIF
2010-03-10 18:39 . 2010-03-10 18:39 439816 ----a-w- c:\documents and settings\yomamason\Application Data\Real\Update\setup3.10\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 17:12 . 2009-12-23 03:03 -------- d-----w- c:\documents and settings\yomamason\Application Data\vlc
2010-03-22 15:12 . 2009-07-24 20:32 -------- d-----w- c:\documents and settings\yomamason\Application Data\Skype
2010-03-21 16:37 . 2009-07-24 22:17 -------- d-----w- c:\documents and settings\yomamason\Application Data\skypePM
2010-03-18 14:52 . 2009-12-22 01:49 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-03-18 14:52 . 2009-12-22 01:47 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-03-04 17:51 . 2009-07-21 01:59 103928 ----a-w- c:\documents and settings\yomamason\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-09 03:15 . 2010-02-09 02:00 -------- d-----w- c:\documents and settings\yomamason\Application Data\Research In Motion
2010-02-09 02:56 . 2010-02-09 02:56 256 ----a-w- c:\documents and settings\yomamason\pool.bin
2010-02-09 02:56 . 2010-02-09 02:00 256 ----a-w- c:\windows\system32\pool.bin
2010-02-09 02:41 . 2010-02-09 02:01 -------- d-----w- c:\documents and settings\yomamason\Application Data\Roxio
2010-02-09 02:39 . 2010-02-09 02:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2010-02-09 01:58 . 2010-02-09 01:58 -------- d-----w- c:\documents and settings\yomamason\Application Data\InstallShield
2010-02-09 01:57 . 2010-02-09 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2010-02-09 01:56 . 2010-02-09 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-02-09 01:55 . 2010-02-09 01:42 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-02-09 01:54 . 2010-02-09 01:53 -------- d-----w- c:\program files\Roxio
2010-02-09 01:53 . 2010-02-09 01:53 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-02-09 01:45 . 2009-07-26 19:34 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-09 01:44 . 2010-02-09 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-02-09 01:44 . 2010-02-09 01:41 -------- d-----w- c:\program files\Research In Motion
2010-02-09 01:42 . 2010-02-09 01:41 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-01-19 23:56 . 2010-01-19 23:56 186584 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2001-11-15 13:17 . 2001-11-15 13:17 54 ----a-w- c:\program files\HPLJ1000.DOI
1996-10-07 19:53 . 1996-10-07 19:53 6020 ----a-w- c:\program files\HPLicen.txt
2010-01-02 12:59 . 2010-01-02 12:59 61952 --sha-w- c:\windows\system32\jirohowu.dll
2010-01-03 00:59 . 2010-01-03 00:59 61952 --sha-w- c:\windows\system32\lohulatu.dll
2010-01-02 00:58 . 2010-01-02 00:58 92160 --sha-w- c:\windows\system32\pabawifu.dll
2010-01-02 12:59 . 2010-01-02 12:59 62464 --sha-w- c:\windows\system32\saheloju.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^yomamason^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\yomamason\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 06:12 483328 ----a-w- c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 22:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 04:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 14:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2008-10-24 14:14 206112 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2008-10-24 14:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-05-08 15:35 2780432 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-24 00:20 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-12-23 02:48 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"JavaQuickStarterService"=3 (0x3)
"Adobe Version Cue CS2"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Alwil Software\\Avast5\\AvastSvc.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/2/2010 10:22 AM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/2/2010 10:22 AM 19024]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/9/2009 6:05 PM 80384]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [11/8/2009 6:25 PM 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [11/8/2009 6:25 PM 500608]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{513caca6-90e9-4d82-9ee1-894812662eb6} - kofemube.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-pumamivuz - c:\windows\system32\runasate.dll
HKLM-Run-visazeyilu - fajohiti.dll
SharedTaskScheduler-{382b8d24-8132-47d7-843b-eb527306b84c} - c:\windows\system32\runasate.dll
SSODL-lihizabeg-{382b8d24-8132-47d7-843b-eb527306b84c} - c:\windows\system32\runasate.dll
MSConfigStartUp-pumamivuz - c:\windows\system32\pihuwali.dll
MSConfigStartUp-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-04 09:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\COMRes.dll

- - - - - - - > 'explorer.exe'(5564)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\netdde.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\locator.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\vssvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-04 09:24:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-04 13:24

Pre-Run: 20,624,007,168 bytes free
Post-Run: 20,479,307,776 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30

- - End Of File - - 2A38D51D1D3A9688C47927092105C1CD
  • 0

#7
inzanity
Posted 04 April 2010 - 09:25 PM

inzanity

    Member

  • Member
  • PipPip
  • 37 posts
Hi,

Please do the following:

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty in properly disabling your protective programs, refer to this link - How to Disable your Security Programs
--------------------------------------------------------------------

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...s...t&p=1798984

Collect::
c:\windows\system32\jirohowu.dll
c:\windows\system32\lohulatu.dll
c:\windows\system32\pabawifu.dll
c:\windows\system32\saheloju.dll
C:\WINDOWS\system32\yolutuzu

Folder::
C:\VundoFix Backups
C:\!KillBox

Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{483544cf-0cfb-11de-9ebe-0013ce871ce7}]

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • 0

#8
mpurchases
Posted 05 April 2010 - 11:32 AM

mpurchases

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
ComboFix 10-04-03.02 - yomamason 04/05/2010 13:19:30.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.660 [GMT -4:00]
Running from: c:\documents and settings\yomamason\Desktop\SubsFix.exe
Command switches used :: c:\documents and settings\yomamason\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\windows\system32\jirohowu.dll
file zipped: c:\windows\system32\lohulatu.dll
file zipped: c:\windows\system32\pabawifu.dll
file zipped: c:\windows\system32\saheloju.dll
file zipped: c:\windows\system32\yolutuzu
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\!KillBox
c:\!killbox\Logs\kb.log
C:\VundoFix Backups
c:\windows\system32\jirohowu.dll
c:\windows\system32\lohulatu.dll
c:\windows\system32\pabawifu.dll
c:\windows\system32\saheloju.dll
c:\windows\system32\yolutuzu

.
((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-03 00:58 . 2010-04-03 01:00 -------- d-----w- c:\program files\renamed
2010-04-03 00:57 . 2010-04-03 00:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-03 00:55 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-03 00:55 . 2010-04-03 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-03 00:55 . 2010-04-03 00:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 00:55 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-03 00:52 . 2010-04-03 00:52 -------- d-----w- c:\program files\ERUNT
2010-04-02 15:07 . 2010-04-02 15:07 -------- d-----w- c:\program files\Trend Micro
2010-04-02 14:22 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-02 14:22 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-02 14:22 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-02 14:22 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-02 14:22 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-02 14:22 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-02 14:22 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-02 14:22 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-02 14:22 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-02 14:21 . 2010-04-02 14:21 -------- d-----w- c:\program files\Alwil Software
2010-04-02 14:21 . 2010-04-02 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-02 13:37 . 2010-04-02 13:37 -------- d-----w- c:\program files\Safer Networking
2010-04-01 00:00 . 2010-04-01 00:00 -------- d--h--w- c:\windows\PIF
2010-03-10 18:39 . 2010-03-10 18:39 439816 ----a-w- c:\documents and settings\yomamason\Application Data\Real\Update\setup3.10\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 17:12 . 2009-12-23 03:03 -------- d-----w- c:\documents and settings\yomamason\Application Data\vlc
2010-03-22 15:12 . 2009-07-24 20:32 -------- d-----w- c:\documents and settings\yomamason\Application Data\Skype
2010-03-21 16:37 . 2009-07-24 22:17 -------- d-----w- c:\documents and settings\yomamason\Application Data\skypePM
2010-03-18 14:52 . 2009-12-22 01:49 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-03-18 14:52 . 2009-12-22 01:47 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-03-04 17:51 . 2009-07-21 01:59 103928 ----a-w- c:\documents and settings\yomamason\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-09 03:15 . 2010-02-09 02:00 -------- d-----w- c:\documents and settings\yomamason\Application Data\Research In Motion
2010-02-09 02:56 . 2010-02-09 02:56 256 ----a-w- c:\documents and settings\yomamason\pool.bin
2010-02-09 02:56 . 2010-02-09 02:00 256 ----a-w- c:\windows\system32\pool.bin
2010-02-09 02:41 . 2010-02-09 02:01 -------- d-----w- c:\documents and settings\yomamason\Application Data\Roxio
2010-02-09 02:39 . 2010-02-09 02:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2010-02-09 01:58 . 2010-02-09 01:58 -------- d-----w- c:\documents and settings\yomamason\Application Data\InstallShield
2010-02-09 01:57 . 2010-02-09 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2010-02-09 01:56 . 2010-02-09 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-02-09 01:55 . 2010-02-09 01:42 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-02-09 01:54 . 2010-02-09 01:53 -------- d-----w- c:\program files\Roxio
2010-02-09 01:53 . 2010-02-09 01:53 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-02-09 01:45 . 2009-07-26 19:34 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-09 01:44 . 2010-02-09 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-02-09 01:44 . 2010-02-09 01:41 -------- d-----w- c:\program files\Research In Motion
2010-02-09 01:42 . 2010-02-09 01:41 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-01-19 23:56 . 2010-01-19 23:56 186584 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2001-11-15 13:17 . 2001-11-15 13:17 54 ----a-w- c:\program files\HPLJ1000.DOI
1996-10-07 19:53 . 1996-10-07 19:53 6020 ----a-w- c:\program files\HPLicen.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^yomamason^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\yomamason\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 06:12 483328 ----a-w- c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 22:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 04:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 14:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2008-10-24 14:14 206112 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2008-10-24 14:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-05-08 15:35 2780432 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-24 00:20 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-12-23 02:48 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"JavaQuickStarterService"=3 (0x3)
"Adobe Version Cue CS2"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Alwil Software\\Avast5\\AvastSvc.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/2/2010 10:22 AM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/2/2010 10:22 AM 19024]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/9/2009 6:05 PM 80384]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [11/8/2009 6:25 PM 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [11/8/2009 6:25 PM 500608]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-05 13:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-05 13:27:05
ComboFix-quarantined-files.txt 2010-04-05 17:27
ComboFix2.txt 2010-04-04 13:24

Pre-Run: 20,442,521,600 bytes free
Post-Run: 20,407,508,992 bytes free

- - End Of File - - D2882322678B63F4447B60C213461722
Upload was successful
  • 0

#9
inzanity
Posted 05 April 2010 - 08:33 PM

inzanity

    Member

  • Member
  • PipPip
  • 37 posts
Hi,

Let's do another run of GMER and OTL to see if there are any more remnants:
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

--Next--
  • Open OTL.exe.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • There will only be a single log produced. OTL.Txt.
    Note:This log can be located in the OTL. folder on you C:\ drive if it fails to open automatically.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.
--Next--
  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform full scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


To post in your next reply:
1. GMER log.
2. OTL log.
3. Malwarebytes' log.
4. How is your computer?
  • 0

#10
mpurchases
Posted 05 April 2010 - 09:04 PM

mpurchases

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
Is GMER the same as erunt. I cannot find gmer on my computer. I cannot find gmer.exe.

I know I produced the logs you requested, but not sure where gmer.exe is.

sorry.
  • 0

Advertisements

#11
inzanity
Posted 05 April 2010 - 09:08 PM

inzanity

    Member

  • Member
  • PipPip
  • 37 posts
Hi,

No it's not. Maybe you have deleted it? Try looking at your desktop for GMER.exe or GMER.zip.
  • 0

#12
mpurchases
Posted 06 April 2010 - 10:44 AM

mpurchases

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-06 11:49:07
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\YOMAMA~1\LOCALS~1\Temp\awtdrpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAAD42C56]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAAD42B12]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xAAD430C6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAAD42FF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAAD426E8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAAD42BEC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAAD42628]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAAD4268C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAAD42D0C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xAAD43194]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAAD42CCC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAAD42E4C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xAAD4F4FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xAAD4F322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xAAD4F45C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----



OTL LOG

OTL logfile created on: 4/6/2010 11:55:55 AM - Run 2
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\yomamason\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 556.00 Mb Available Physical Memory | 55.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 18.92 Gb Free Space | 50.79% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOMAMA
Current User Name: yomamason
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\yomamason\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software)
PRC - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\V0230Mon.exe (Creative Technology Ltd.)
PRC - C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrodist.exe (Adobe Systems Incorporated.)
PRC - C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe (Adobe Systems Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\yomamason\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\rsaenh.dll (Microsoft Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll (Microsoft Corporation)
MOD - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
MOD - C:\Program Files\Microsoft Office\Office12\GrooveUtil.dll (Microsoft Corporation)
MOD - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
MOD - C:\Program Files\Microsoft Office\Office12\GrooveNew.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software)
SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software)
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software)
SRV - (LVPrcSrv) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
SRV - (Adobe Version Cue CS2) -- C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe (Adobe Systems Incorporated)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3854968036-1053989040-1482831176-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
IE - HKU\S-1-5-21-3854968036-1053989040-1482831176-1005\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-3854968036-1053989040-1482831176-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/04/04 09:19:42 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (RefresherBand Class) - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\Program Files\YRefresher\YRefresher.dll ()
O3 - HKU\S-1-5-21-3854968036-1053989040-1482831176-1005\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-3854968036-1053989040-1482831176-1005\..\Toolbar\WebBrowser: (RefresherBand Class) - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\Program Files\YRefresher\YRefresher.dll ()
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [V0230Mon.exe] C:\WINDOWS\V0230Mon.exe (Creative Technology Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3854968036-1053989040-1482831176-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3854968036-1053989040-1482831176-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3854968036-1053989040-1482831176-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3854968036-1053989040-1482831176-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2....re/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\yomamason\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\yomamason\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/09 17:50:13 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/04/06 11:50:01 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\yomamason\Desktop\OTL.exe
[2010/04/05 13:28:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/04 09:10:27 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/02 20:58:35 | 000,000,000 | ---D | C] -- C:\Program Files\renamed
[2010/04/02 20:55:57 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/02 20:55:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/02 20:55:54 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/02 20:55:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/02 20:53:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/02 20:52:53 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/02 11:07:19 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/02 11:05:35 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\yomamason\Desktop\HijackThisInstaller.exe
[2010/04/02 10:22:49 | 000,162,640 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/02 10:22:49 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/02 10:22:48 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/02 10:22:46 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/02 10:22:42 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/02 10:22:42 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/02 10:22:42 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/02 10:22:16 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/02 10:22:16 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/02 10:21:59 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/04/02 10:21:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/04/02 09:37:35 | 000,000,000 | ---D | C] -- C:\Program Files\Safer Networking
[2010/03/31 20:00:37 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/03/31 16:11:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yomamason\My Documents\John Gillis
[2010/02/08 22:39:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2009/12/22 22:35:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/07/25 12:27:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/07/23 08:00:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/03/09 17:57:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/03/09 17:50:04 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2003/05/27 13:37:24 | 001,953,792 | ---- | C] (Hewlett-Packard Corp.) -- C:\Program Files\pcldll6l.dll
[2003/05/27 13:37:24 | 000,900,388 | ---- | C] (Macromedia, Inc.) -- C:\Program Files\hpflash1.exe
[2003/05/27 13:37:24 | 000,151,552 | ---- | C] (Hewlett-Packard Company) -- C:\Program Files\SDhp1000.DLL
[2003/05/27 13:37:24 | 000,147,456 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\Sr32.dll
[2003/05/27 13:37:24 | 000,147,456 | ---- | C] (Zenographics) -- C:\Program Files\ZUNINST.EXE
[2003/05/27 13:37:24 | 000,135,168 | ---- | C] (Hewlett-Packard Company) -- C:\Program Files\SUhp1000.DLL
[2003/05/27 13:37:24 | 000,122,880 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\SDDMUI.DLL
[2003/05/27 13:37:24 | 000,099,616 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\IMF16.drv
[2003/05/27 13:37:24 | 000,098,304 | ---- | C] (Zenographics) -- C:\Program Files\vsetup.dll
[2003/05/27 13:37:24 | 000,090,112 | ---- | C] (Zenographics) -- C:\Program Files\apptune.exe
[2003/05/27 13:37:24 | 000,086,016 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\ZSPOOL.DLL
[2003/05/27 13:37:24 | 000,077,824 | ---- | C] (Zenographics) -- C:\Program Files\zlmhp1.dll
[2003/05/27 13:37:24 | 000,073,728 | ---- | C] (Zenographics) -- C:\Program Files\ZSHP1000.dll
[2003/05/27 13:37:24 | 000,070,656 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\Sd32.dll
[2003/05/27 13:37:24 | 000,065,536 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\SDDM32.DLL
[2003/05/27 13:37:24 | 000,054,784 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\zPJL.dll
[2003/05/27 13:37:24 | 000,049,152 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\IMFPRINT.DLL
[2003/05/27 13:37:24 | 000,047,120 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\SD4.DLL
[2003/05/27 13:37:24 | 000,045,056 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\zpp.dll
[2003/05/27 13:37:24 | 000,036,864 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\zpppcl.dll
[2003/05/27 13:37:24 | 000,036,864 | ---- | C] (Zenographics) -- C:\Program Files\zstatus.exe
[2003/05/27 13:37:24 | 000,036,864 | ---- | C] (Zenographics) -- C:\Program Files\fwdl.exe
[2003/05/27 13:37:24 | 000,032,256 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\imfnt5.dll
[2003/05/27 13:37:24 | 000,029,184 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\ZSPOOL32.EXE
[2003/05/27 13:37:24 | 000,028,672 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\zlm.dll
[2003/05/27 13:37:24 | 000,028,672 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\SDNT5UI.dll
[2003/05/27 13:37:24 | 000,026,624 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\QDPRINT.DLL
[2003/05/27 13:37:24 | 000,023,552 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\ZGDI32.DLL
[2003/05/27 13:37:24 | 000,022,608 | ---- | C] (Microsoft Corporation) -- C:\Program Files\USBPRINT.SYS
[2003/05/27 13:37:24 | 000,019,456 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\ZTAG32.DLL
[2003/05/27 13:37:24 | 000,018,944 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\SDIMF32.DLL
[2003/05/27 13:37:24 | 000,016,384 | ---- | C] (Zenographics) -- C:\Program Files\ZJBIG.dll
[2003/05/27 13:37:24 | 000,012,288 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\IMF32.DLL
[2003/05/27 13:37:24 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Program Files\USBMON.DLL
[2003/05/27 13:37:24 | 000,009,216 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\Zlang.dll
[2003/05/27 13:37:24 | 000,008,704 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\ZPRINT32.EXE
[2003/05/27 13:37:24 | 000,005,632 | ---- | C] (Zenographics, Inc.) -- C:\Program Files\SDNTUM4.DLL
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/06 11:52:28 | 000,567,243 | ---- | M] () -- C:\Documents and Settings\yomamason\Desktop\virtumondo geekstogo forum posts.pdf
[2010/04/06 11:50:12 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\yomamason\Desktop\OTL.exe
[2010/04/05 23:07:20 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\yomamason\Desktop\gmer.zip
[2010/04/05 22:57:30 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/05 22:57:19 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/05 22:57:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/05 13:52:17 | 009,437,184 | ---- | M] () -- C:\Documents and Settings\yomamason\ntuser.dat
[2010/04/05 13:52:17 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\yomamason\ntuser.ini
[2010/04/05 13:52:09 | 003,772,738 | -H-- | M] () -- C:\Documents and Settings\yomamason\Local Settings\Application Data\IconCache.db
[2010/04/05 13:24:51 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/04 09:19:42 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/04 09:10:36 | 000,000,309 | RHS- | M] () -- C:\boot.ini
[2010/04/04 09:07:41 | 003,907,280 | R--- | M] () -- C:\Documents and Settings\yomamason\Desktop\SubsFix.exe
[2010/04/02 21:00:05 | 000,000,599 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/02 20:54:49 | 000,000,582 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/02 20:54:49 | 000,000,239 | ---- | M] () -- C:\Boot.bak
[2010/04/02 19:39:50 | 000,011,776 | ---- | M] () -- C:\Documents and Settings\yomamason\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/02 11:07:20 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\yomamason\Desktop\HijackThis.lnk
[2010/04/02 11:05:35 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\yomamason\Desktop\HijackThisInstaller.exe
[2010/04/02 10:22:50 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/04/02 10:22:43 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/06 11:52:28 | 000,567,243 | ---- | C] () -- C:\Documents and Settings\yomamason\Desktop\virtumondo geekstogo forum posts.pdf
[2010/04/05 23:07:19 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\yomamason\Desktop\gmer.zip
[2010/04/04 09:10:35 | 000,000,239 | ---- | C] () -- C:\Boot.bak
[2010/04/04 09:10:34 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/04 09:08:33 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/04 09:08:33 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/04 09:07:41 | 003,907,280 | R--- | C] () -- C:\Documents and Settings\yomamason\Desktop\SubsFix.exe
[2010/04/02 20:55:59 | 000,000,599 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/02 11:07:20 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\yomamason\Desktop\HijackThis.lnk
[2010/04/02 10:22:50 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/02/08 22:56:08 | 000,000,256 | ---- | C] () -- C:\Documents and Settings\yomamason\pool.bin
[2010/01/19 19:56:42 | 000,186,584 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/01/14 17:50:54 | 009,437,184 | ---- | C] () -- C:\Documents and Settings\yomamason\ntuser.dat
[2009/12/22 22:51:59 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/12/21 21:48:30 | 000,082,289 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/11/03 22:57:21 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
[2009/07/26 15:37:14 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\yomamason\Application Data\PFP120JPR.{PB
[2009/07/26 15:37:14 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\yomamason\Application Data\PFP120JCM.{PB
[2009/07/24 18:05:16 | 000,000,392 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/07/22 21:10:49 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\yomamason\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/21 23:26:06 | 000,645,632 | ---- | C] () -- C:\Documents and Settings\yomamason\Jan 7, 08.doc
[2009/07/21 23:26:06 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\yomamason\Refco_IPO+DueDiligenceDefense_04-22-07.doc
[2009/07/21 23:26:06 | 000,214,016 | ---- | C] () -- C:\Documents and Settings\yomamason\Hedge Hogging Trade Secrets OUTLINE.doc
[2009/07/21 23:26:06 | 000,118,272 | ---- | C] () -- C:\Documents and Settings\yomamason\BdC.rr.draft17[1] August 12, 08.doc
[2009/07/21 23:26:06 | 000,116,224 | ---- | C] () -- C:\Documents and Settings\yomamason\The BAWAG Scandal April 5, 07 @ 10.42am.doc
[2009/07/21 23:26:06 | 000,104,448 | ---- | C] () -- C:\Documents and Settings\yomamason\USAvSergeyAleynikov-7-4-09-full.doc
[2009/07/21 23:26:06 | 000,065,536 | ---- | C] () -- C:\Documents and Settings\yomamason\MT SUPRESS 5.30pm.doc
[2009/07/21 23:26:06 | 000,045,568 | ---- | C] () -- C:\Documents and Settings\yomamason\MEMO.doc
[2009/07/21 23:26:06 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\yomamason\Discussion Section June 7, 2008.doc
[2009/07/21 23:26:06 | 000,039,424 | ---- | C] () -- C:\Documents and Settings\yomamason\WECOMM.doc
[2009/07/21 23:26:06 | 000,036,864 | ---- | C] () -- C:\Documents and Settings\yomamason\Inquest Pinochet.doc
[2009/07/21 23:26:06 | 000,031,232 | ---- | C] () -- C:\Documents and Settings\yomamason\Bank Fraud SECTION June 10, 08.doc
[2009/07/21 23:26:06 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\yomamason\Code has replaced bylaws.doc
[2009/07/21 23:26:05 | 000,662,528 | ---- | C] () -- C:\Documents and Settings\yomamason\April 16, 08 version from FOrd and Ed via email MH VERSION May 4, 08.doc
[2009/07/21 23:26:05 | 000,055,808 | ---- | C] () -- C:\Documents and Settings\yomamason\06-2647.mo.draft4 May 17, 08 @ 4pm.doc
[2009/07/20 21:44:21 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\yomamason\ntuser.dat.LOG
[2009/07/20 21:44:21 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\yomamason\ntuser.ini
[2009/07/20 21:43:42 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2009/07/20 21:43:42 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2009/05/08 11:13:04 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2009/04/30 17:00:12 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2009/03/09 18:42:51 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/05/27 13:37:24 | 001,619,183 | ---- | C] () -- C:\Program Files\guide.pdf
[2003/05/27 13:37:24 | 000,114,233 | ---- | C] () -- C:\Program Files\sihp1000.img
[2003/05/27 13:37:24 | 000,088,504 | ---- | C] () -- C:\Program Files\dour65w.ttf
[2003/05/27 13:37:24 | 000,088,408 | ---- | C] () -- C:\Program Files\dour45w.ttf
[2003/05/27 13:37:24 | 000,080,712 | ---- | C] () -- C:\Program Files\dour66w.ttf
[2003/05/27 13:37:24 | 000,080,676 | ---- | C] () -- C:\Program Files\dour46w.ttf
[2003/05/27 13:37:24 | 000,054,675 | ---- | C] () -- C:\Program Files\SDhp1000.hlp
[2003/05/27 13:37:24 | 000,032,768 | ---- | C] () -- C:\Program Files\spldr.exe
[2003/05/27 13:37:24 | 000,032,351 | ---- | C] () -- C:\Program Files\hp1KW9x.cat
[2003/05/27 13:37:24 | 000,030,336 | ---- | C] () -- C:\Program Files\readme.wri
[2003/05/27 13:37:24 | 000,020,489 | ---- | C] () -- C:\Program Files\hp1KW2K.cat
[2003/05/27 13:37:24 | 000,010,546 | ---- | C] () -- C:\Program Files\read1st.txt
[2003/05/27 13:37:24 | 000,008,911 | ---- | C] () -- C:\Program Files\zUsb.cat
[2003/05/27 13:37:24 | 000,007,315 | ---- | C] () -- C:\Program Files\ZShp1000.hlp
[2003/05/27 13:37:24 | 000,003,608 | ---- | C] () -- C:\Program Files\HPLJ1000.INF
[2003/05/27 13:37:24 | 000,002,991 | ---- | C] () -- C:\Program Files\SDhp1000.sdd
[2003/05/27 13:37:24 | 000,001,598 | ---- | C] () -- C:\Program Files\sd4.ini
[2003/05/27 13:37:24 | 000,001,145 | ---- | C] () -- C:\Program Files\SDhp1000.UNZ
[2003/05/27 13:37:24 | 000,000,949 | ---- | C] () -- C:\Program Files\zUsb.inf
[2003/05/27 13:37:24 | 000,000,271 | ---- | C] () -- C:\Program Files\apptune.ini
[2001/11/15 09:17:14 | 000,000,054 | ---- | C] () -- C:\Program Files\HPLJ1000.DOI
[1996/10/07 15:53:58 | 000,006,020 | ---- | C] () -- C:\Program Files\HPLicen.txt

========== LOP Check ==========

[2010/04/02 10:21:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/07/22 07:12:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2010/02/08 21:44:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2009/03/09 18:37:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[2009/11/02 17:54:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yomamason\Application Data\Blitware
[2010/01/19 20:05:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yomamason\Application Data\GoodShopToolbar
[2009/12/21 21:49:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yomamason\Application Data\Leadertech
[2009/11/07 09:59:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yomamason\Application Data\Opera
[2010/02/08 23:15:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yomamason\Application Data\Research In Motion

========== Purity Check ==========


< End of report >


Malware Bytes LOG

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3960

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/6/2010 12:37:40 PM
mbam-log-2010-04-06 (12-37-40).txt

Scan type: Full scan (C:\|)
Objects scanned: 174178
Time elapsed: 33 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#13
inzanity
Posted 06 April 2010 - 08:53 PM

inzanity

    Member

  • Member
  • PipPip
  • 37 posts
Hi,

How is your computer?

Please do the following:

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty in properly disabling your protective programs, refer to this link - How to Disable your Security Programs
--------------------------------------------------------------------

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

DeQuarantine::
C:\Qoobox\Quarantine\c\windows\AppPatch\AcAdProc.dll.vir

Quit::

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at DeQuarantine_log.txt which I will require in your next reply.

--Next--

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
IE - HKU\S-1-5-21-3854968036-1053989040-1482831176-1005\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot when it is done.
  • Then post the result and a new OTL log in your next reply. ( don't check the boxes beside LOP Check or Purity this time )
--Next--

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
1. DeQuarantine_log.txt
2. OTL log.
3. Kaspersky log.
4. How is your computer?
  • 0

#14
mpurchases
Posted 07 April 2010 - 04:34 AM

mpurchases

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
Firstly - here is the combo fix log - i followed the instructions. HOWEVER, when I went to save the log it did not name itself DeQuarantine_log.txt I saved it as my own name - so not sure the combofix took the code I dragged into it - but I am sure you can see if it did from the log.

HERE is the LOG

ComboFix 10-04-03.02 - yomamason 04/07/2010 6:17.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.554 [GMT -4:00]
Running from: c:\documents and settings\yomamason\Desktop\SubsFix.exe
Command switches used :: c:\documents and settings\yomamason\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-06 16:02 . 2010-04-06 16:02 -------- d-----w- c:\docume~1\YOMAMA~1\APPLIC~1\Malwarebytes
2010-04-06 16:02 . 2010-04-06 16:02 -------- d-----w- c:\program files\MBAM
2010-04-03 00:58 . 2010-04-03 01:00 -------- d-----w- c:\program files\renamed
2010-04-03 00:57 . 2010-04-03 00:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-03 00:55 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-03 00:55 . 2010-04-03 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-03 00:55 . 2010-04-03 00:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 00:55 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-03 00:52 . 2010-04-03 00:52 -------- d-----w- c:\program files\ERUNT
2010-04-02 15:07 . 2010-04-02 15:07 -------- d-----w- c:\program files\Trend Micro
2010-04-02 14:22 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-02 14:22 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-02 14:22 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-02 14:22 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-02 14:22 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-02 14:22 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-02 14:22 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-02 14:22 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-02 14:22 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-02 14:21 . 2010-04-02 14:21 -------- d-----w- c:\program files\Alwil Software
2010-04-02 14:21 . 2010-04-02 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-02 13:37 . 2010-04-02 13:37 -------- d-----w- c:\program files\Safer Networking
2010-04-01 00:00 . 2010-04-01 00:00 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 17:12 . 2009-12-23 03:03 -------- d-----w- c:\docume~1\YOMAMA~1\APPLIC~1\vlc
2010-03-22 15:12 . 2009-07-24 20:32 -------- d-----w- c:\docume~1\YOMAMA~1\APPLIC~1\Skype
2010-03-21 16:37 . 2009-07-24 22:17 -------- d-----w- c:\docume~1\YOMAMA~1\APPLIC~1\skypePM
2010-03-18 14:52 . 2009-12-22 01:49 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-03-18 14:52 . 2009-12-22 01:47 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-03-04 17:51 . 2009-07-21 01:59 103928 ----a-w- c:\documents and settings\yomamason\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-09 03:15 . 2010-02-09 02:00 -------- d-----w- c:\docume~1\YOMAMA~1\APPLIC~1\Research In Motion
2010-02-09 02:56 . 2010-02-09 02:56 256 ----a-w- c:\documents and settings\yomamason\pool.bin
2010-02-09 02:56 . 2010-02-09 02:00 256 ----a-w- c:\windows\system32\pool.bin
2010-02-09 02:41 . 2010-02-09 02:01 -------- d-----w- c:\docume~1\YOMAMA~1\APPLIC~1\Roxio
2010-02-09 02:39 . 2010-02-09 02:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2010-02-09 01:58 . 2010-02-09 01:58 -------- d-----w- c:\docume~1\YOMAMA~1\APPLIC~1\InstallShield
2010-02-09 01:57 . 2010-02-09 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2010-02-09 01:56 . 2010-02-09 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-02-09 01:55 . 2010-02-09 01:42 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-02-09 01:54 . 2010-02-09 01:53 -------- d-----w- c:\program files\Roxio
2010-02-09 01:53 . 2010-02-09 01:53 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-02-09 01:45 . 2009-07-26 19:34 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-09 01:44 . 2010-02-09 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-02-09 01:44 . 2010-02-09 01:41 -------- d-----w- c:\program files\Research In Motion
2010-02-09 01:42 . 2010-02-09 01:41 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-01-19 23:56 . 2010-01-19 23:56 186584 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2001-11-15 13:17 . 2001-11-15 13:17 54 ----a-w- c:\program files\HPLJ1000.DOI
1996-10-07 19:53 . 1996-10-07 19:53 6020 ----a-w- c:\program files\HPLicen.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^yomamason^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\yomamason\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 06:12 483328 ----a-w- c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 22:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 04:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 14:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2008-10-24 14:14 206112 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2008-10-24 14:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-05-08 15:35 2780432 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-24 00:20 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-12-23 02:48 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"JavaQuickStarterService"=3 (0x3)
"Adobe Version Cue CS2"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Alwil Software\\Avast5\\AvastSvc.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/2/2010 10:22 AM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/2/2010 10:22 AM 19024]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/9/2009 6:05 PM 80384]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [11/8/2009 6:25 PM 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [11/8/2009 6:25 PM 500608]

--- Other Services/Drivers In Memory ---

*Deregistered* - awtdrpow
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 06:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(3848)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-04-07 06:24:35
ComboFix-quarantined-files.txt 2010-04-07 10:24

Pre-Run: 20,225,384,448 bytes free
Post-Run: 20,210,483,200 bytes free

- - End Of File - - 64AE99A9365CAC4D6077435535156167
  • 0

#15
mpurchases
Posted 07 April 2010 - 04:38 AM

mpurchases

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
I ran the OTL program and followed your instructions. I did not uncheck boxes beside LOP Check or Purity this time. So might have messed up here.

OTL ran with the code in it, as you requested. THe computer rebooted and I got an error saying it could not find otl.exe or something like that. Now, otl is not on my desktop as it was before.

I do not know where a new otl log would be - as I cannot find the OTL program anymore.

I think I must have messed up somewhere on this step.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP